Cannot reach VPN clients from inside Hosts

Hello,

I'm hoping someone can point out what I'm missing with this config. I am able to reach VPN clients (Anyconnect) only from hosts directly connected to the ASA's inside interface subnet. However, hosts on other internal subnets (177.1.10.0 & 177.1.11.0) are unable to connect to clients on VPN. The ASA is running ver 8.4.

Cannot reach VPN clients from inside Hosts

1. No split tunnel policy.

2. The routes are in place. The inside NIC of the ASA is directly connected to a L3 switch configured to point to the ASA inside IP as the next hop to 10.11.10.0/24.

I don't know if I need to specify an incoming ACL on the inside interface; I thought that by default the ASA should allow this coming from security level 100. I even removed any ACL but didn't make any difference. I also tried removing the "no proxy-arp" under the "nat" line but also didn't make any difference.

I feel that this has something to do with defining the internal subnets somewhere on the ASA because I already confirmed reachability towards 10.11.10.0/24 from the directly connected subnet. I just don't know if this is correct or where to add these subnets.

Cannot reach VPN clients from inside Hosts

Yes, these are directly connected to the L3 switch as SVI's.

ASA-------Cat3560---SVI's: 177.1.10.0/24 & 177.1.10.11.0/24

If I do an extended ping sourcing these subnets, I cannot reach the 10.11.10.0/24. I can only reach up to the ASA's inside interface. The port the ASA is connected to on the switch is defined as a routed interface. On the ASA logs, I can see traffic FROM (as well as TO) these networks.

Cannot reach VPN clients from inside Hosts

Sorry, I forgot to reply to your first question - no, I don't think I have any VPN filter defined. It's basically a clean ASA with only the Startup and VPN wizards producing the above configuration. I don't recall any part of the wizard where I was asked to define a filter, unless I missed it. This is all that's defined for the VPN portion:

Cannot reach VPN clients from inside Hosts

Sorry for the late reply. I finally proved that base config of SSLVPN Wizard by default allows me to access the remote clients from the LAN. The issue was a routing/switching config on the next-hop L3 switch. I wasn't sure at first if the cause of one-way VoIP audio between the VPN Clients and LAN was due to the ASA.

I did try removing the no-proxy-arp route-lookup without any difference in the traffic behaviour.

Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
view more

We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...
view more